Efficient centralized credential storage for remotely managed networks

ABSTRACT

An example embodiment may involve receiving, by a server device that stores a plurality of access credentials for computing devices that are disposed within a managed network, a request containing a label and an indication of an application service. The server device may be disposed within a remote network management platform that remotely manages the managed network. The example embodiment may further involve mapping, by the server device, the label and the application service to an endpoint identifier of a target computing device that is disposed within the managed network. The endpoint identifier may be associated with particular access credentials that are usable to access the application service executing on the target computing device. The example embodiment may further involve transmitting, by the server device, the endpoint identifier and the particular access credentials.

CROSS REFERENCE TO RELATED APPLICATIONS

This disclosure is a continuation of and claims priority to U.S.application Ser. No. 15/587,402, filed on May 4, 2017, which is hereinincorporated by reference in their entireties.

BACKGROUND

Remote network management may involve remotely accessing (e.g., loggingon to) computing devices on a managed network. Through this process,information about these computing devices may be collected, and theconfiguration of the computing devices may be modified. But in order togain access, sets of credentials for these computing devices should beavailable. These credentials may include userid/password pairs, or otherparameters, which permit access to specific services operating on thecomputing devices. For a network with remotely managed computing devicesoperating an extent of services, it may be challenging to storecredentials in a fashion that enables rapid identification of the propercredentials for a given computing device and service.

SUMMARY

It is now common for enterprise networks to include tens of thousands ofcomputing devices across dozens of networks, supporting thousands ofusers. These computing devices may include various types of equipment,such as client devices, server devices, routers, storage arrays, and soon. Each of these computing devices may be configured to execute one ormore services—typically software applications executing on therespective computing devices that perform specific tasks. Services mayalso be referred to as “applications” or “application services,” and maybe performed by application-layer software, kernel software, devicedriver software, or by hardware.

A computing device, or a computing device and a service executingthereon, may define a logical endpoint that is remotely accessiblethrough the use of the appropriate credentials. For instance, a serverdevice on an enterprise network may support services including a remoteadministration command-line interface such as secure shell (SSH), a webserver application, and a database application. In other embodiments,more or fewer services may be operating per computing device.

Some of these services may be associated with respective uniformresource locators (URLs). By way of these URLs, various users and/orentities may gain access to the respective application services. Inorder to limit access to the appropriate parties, each service may beassociated with a distinct set of credentials, and a party attempting touse the service may have to first authenticate itself by presentingthese credentials.

Given the increasing scale of enterprise networks, there is a growingdesire to automate at least some of the management and operationalaspects of these systems. Thus, a cloud-based remote network managementplatform may be used to consolidate the control of these tasks. Forexample, the remote network management platform may store, in adatabase, configuration and operational information regarding computingdevices of the managed network, and may provide a unified web-basedinterface through which to access this information and control thecomputing devices. By way of one or more proxy servers disposed withinthe managed network, the remote network management platform may accessthese computing devices and the services executing thereon in order tocarry out operational, configuration, and/or higher-level tasks.Accordingly, computing devices of the remote network management platformand/or the proxy servers should have access to the necessarycredentials.

In the past, these credentials were stored in various applicationsscattered throughout the managed network. To the extent that anycredentials were stored in databases, the credentials used in differentservices and remote management procedures were spread across varioustables of one of more databases. Such an arrangement led to a number ofproblems, including difficulties ensuring that all credentials aresecured (e.g., encrypted), and challenges in finding the table and/ordatabase that held a specific sought-after credential.

Accordingly, an improvement is for all credentials to be disposed withina single, unified credential store, such as a distinct database or oneor more specific tables within the configuration databases for themanaged network. The credential store may be within the remote networkmanagement platform and entries in it may be encrypted. The proxy serverin the managed network may request and receive a set of credentials fromthe credential store, and then use these credentials to access acomputing device on the managed network. Thus, credentials for a managednetwork may be stored in a unified fashion in a database that is outsideof the managed network.

In some embodiments, a managed network may use multiple logicallyseparate computing instances (e.g., physical or virtual machines thatmay also be referred to as “customer instances” or just “instances”)within the remote management platform. The high-level applicationssupported by these instances may be referred to as “orchestrations,” andmay involve remotely accessing multiple computing devices in the managednetwork, perhaps in a particular order, to carry out various tasks. Forexample, an orchestration procedure may involve applying a patch to andthen rebooting all computing devices with a particular operating system,or modifying employee records across several different computingsystems.

Each of these instances may be dedicated to a different set ofoperations with respect to the managed network. Therefore, the computingdevices and credentials used for particular services may be differentbetween instances. As an example, remote management procedures for aproduction instance may be configured to remotely access one set ofcomputing devices (e.g., computing devices that are in production use onthe managed network), while remote management procedures for a testinstance may be configured to remotely access another set of computingdevices (e.g., computing devices that are part of a testbed in themanaged network). Even if both instances are carrying out the sameorchestration (e.g., the test instance is used for testing anorchestration before it is deployed to the production instance), eachorchestration would need to use different credentials in order to avoidexposing production credentials to parties just involved in testing.

Thus, another improvement is for credentials to be associated with anendpoint identifier and a label. The endpoint identifier may specify,for example, a network address, range of network addresses, or a URLthrough which a particular service executing on a particular computingdevice is reachable. The label may be a string of characters or bits(e.g., an alphanumeric string or a bitstring of a particular length)that is associated with the endpoint identifier and the service. Remotemanagement procedures on both instances may refer to a label and anapplication service, rather than an endpoint identifier and a service orjust a service. Thus, each instance may maps the same label and/orservice to a different endpoint identifier and set of credentials. Inthis way, the values of endpoint identifiers or credentials in softwareand configuration files for orchestrations need not be modified whenthese files are transferred between instances. Instead, the values inthe credential store are modified.

Accordingly, a first example embodiment may involve a system including aproxy server application executing on a proxy server device that isdisposed within a managed network, and a server device that is disposedwithin a remote network management platform that remotely manages themanaged network. The server device may store a plurality of accesscredentials for computing devices that are disposed within the managednetwork. The server device may be configured to: receive, from the proxyserver application, a request containing a label and an indication of anapplication service; map the label and the application service to anendpoint identifier of a target computing device that is disposed withinthe managed network, where the endpoint identifier is associated withparticular access credentials of the plurality of access credentialsthat are usable to access the application service executing on thetarget computing device; and transmit, to the proxy server application,the endpoint identifier and the particular access credentials, wherereception of the endpoint identifier and the particular accesscredentials causes the proxy server application to remotely access theapplication service executing on the target computing device.

A second example embodiment may involve receiving, by a server devicethat stores a plurality of access credentials for computing devices thatare disposed within a managed network, a request containing a label andan indication of an application service. The server device may bedisposed within a remote network management platform that remotelymanages the managed network. The request may be received from arequesting device. The second example embodiment may also involvemapping, by the server device, the label and the application service toan endpoint identifier of a target computing device that is disposedwithin the managed network. The endpoint identifier may be associatedwith particular access credentials of the plurality of accesscredentials that are usable to access the application service executingon the target computing device. The second example embodiment may alsoinvolve transmitting, by the server device and to the requesting device,the endpoint identifier and the particular access credentials. Receptionof the endpoint identifier and the particular access credentials maycause the requesting device to remotely access the application serviceexecuting on the target computing device. Reception of the endpointidentifier and the particular access credentials may also cause therequesting device to store a record associating the label, theapplication service, and the particular access credentials.

In a third example embodiment, an article of manufacture may include anon-transitory computer-readable medium, having stored thereon programinstructions that, upon execution by a computing system, cause thecomputing system to perform operations in accordance with the firstand/or second example embodiment.

In a fourth example embodiment, a computing system may include at leastone processor, as well as memory and program instructions. The programinstructions may be stored in the memory, and upon execution by the atleast one processor, cause the computing system to perform operations inaccordance with the first and/or second example embodiment.

In a fifth example embodiment, a system may include various means forcarrying out each of the operations of the first and/or second exampleembodiment.

These as well as other embodiments, aspects, advantages, andalternatives will become apparent to those of ordinary skill in the artby reading the following detailed description, with reference whereappropriate to the accompanying drawings. Further, this summary andother descriptions and figures provided herein are intended toillustrate embodiments by way of example only and, as such, thatnumerous variations are possible. For instance, structural elements andprocess steps can be rearranged, combined, distributed, eliminated, orotherwise changed, while remaining within the scope of the embodimentsas claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a schematic drawing of a computing device, inaccordance with example embodiments.

FIG. 2 illustrates a schematic drawing of a server device cluster, inaccordance with example embodiments.

FIG. 3 depicts a remote network management architecture, in accordancewith example embodiments.

FIG. 4 depicts a communication environment involving a remote networkmanagement architecture, in accordance with example embodiments.

FIG. 5A depicts another communication environment involving a remotenetwork management architecture, in accordance with example embodiments.

FIG. 5B is a flow chart, in accordance with example embodiments.

FIG. 6A depicts another communication environment involving a remotenetwork management architecture, in accordance with example embodiments.

FIG. 6B depicts a message flow diagram, in accordance with exampleembodiments.

FIG. 6C depicts another message flow diagram, in accordance with exampleembodiments.

FIG. 7 is a flow chart, in accordance with example embodiments.

DETAILED DESCRIPTION

Example methods, devices, and systems are described herein. It should beunderstood that the words “example” and “exemplary” are used herein tomean “serving as an example, instance, or illustration.” Any embodimentor feature described herein as being an “example” or “exemplary” is notnecessarily to be construed as preferred or advantageous over otherembodiments or features unless stated as such. Thus, other embodimentscan be utilized and other changes can be made without departing from thescope of the subject matter presented herein.

Accordingly, the example embodiments described herein are not meant tobe limiting. It will be readily understood that the aspects of thepresent disclosure, as generally described herein, and illustrated inthe figures, can be arranged, substituted, combined, separated, anddesigned in a wide variety of different configurations. For example, theseparation of features into “client” and “server” components may occurin a number of ways.

Further, unless context suggests otherwise, the features illustrated ineach of the figures may be used in combination with one another. Thus,the figures should be generally viewed as component aspects of one ormore overall embodiments, with the understanding that not allillustrated features are necessary for each embodiment.

Additionally, any enumeration of elements, blocks, or steps in thisspecification or the claims is for purposes of clarity. Thus, suchenumeration should not be interpreted to require or imply that theseelements, blocks, or steps adhere to a particular arrangement or arecarried out in a particular order.

I. Introduction

A large enterprise is a complex entity with many interrelatedoperations. Some of these are found across the enterprise, such as humanresources (HR), supply chain, information technology (IT), and finance.However, each enterprise also has its own unique operations that provideessential capabilities and/or create competitive advantages.

To support widely-implemented operations, enterprises typically useoff-the-shelf software applications, such as customer relationshipmanagement (CRM) and human capital management (HCM) packages. However,they may also need custom software applications to meet their own uniquerequirements. A large enterprise often has dozens or hundreds of thesecustom software applications. Nonetheless, the advantages provided bythe embodiments herein are not limited to large enterprises and may beapplicable to an enterprise, or any other type of organization, of anysize.

Many such software applications are developed by individual departmentswithin the enterprise. These range from simple spreadsheets tocustom-built software tools and databases. But the proliferation ofsiloed custom software applications has numerous disadvantages. Itnegatively impacts an enterprise's ability to run and grow its business,innovate, and meet regulatory requirements. The enterprise may find itdifficult to integrate, streamline and enhance its operations due tolack of a single system that unifies its subsystems and data.

To efficiently create custom applications, enterprises would benefitfrom a remotely-hosted application platform that eliminates unnecessarydevelopment complexity. The goal of such a platform would be to reducetime-consuming, repetitive application development tasks so thatsoftware engineers and individuals in other roles can focus ondeveloping unique, high-value features.

In order to achieve this goal, the concept of Application Platform as aService (aPaaS) is introduced, to intelligently automate workflowsthroughout the enterprise. An aPaaS system is hosted remotely from theenterprise, but may access data and services within the enterprise byway of secure connections. Such an aPaaS system may have a number ofadvantageous capabilities and characteristics. These advantages andcharacteristics may be able to improve the enterprise's operations andworkflow for IT, HR, CRM, customer service, application development, andsecurity.

The aPaaS system may support development and execution ofmodel-view-controller (MVC) applications. MVC applications divide theirfunctionality into three interconnected parts (model, view, andcontroller) in order to isolate representations of information from themanner in which the information is presented to the user, therebyallowing for efficient code reuse and parallel development. Theseapplications may be web-based, and offer create, read, update, delete(CRUD) capabilities. This allows new applications to be built on acommon application infrastructure.

The aPaaS system may support standardized application components, suchas a standardized set of widgets for graphical user interface (GUI)development. In this way, applications built using the aPaaS system havea common look and feel. Other software components and modules may bestandardized as well. In some cases, this look and feel can be brandedor skinned with an enterprise's custom logos and/or color schemes.

The aPaaS system may support the ability to configure the behavior ofapplications using metadata. This allows application behaviors to berapidly adapted to meet specific needs. Such an approach reducesdevelopment time and increases flexibility. Further, the aPaaS systemmay support GUI tools that facilitate metadata creation and management,thus reducing errors in the metadata.

The aPaaS system may support clearly-defined interfaces betweenapplications, so that software developers can avoid unwantedinter-application dependencies. Thus, the aPaaS system may implement aservice layer in which persistent state information and other data isstored.

The aPaaS system may support a rich set of integration features so thatthe applications thereon can interact with legacy applications andthird-party applications. For instance, the aPaaS system may support acustom employee-onboarding system that integrates with legacy HR, IT,and accounting systems.

The aPaaS system may support enterprise-grade security. Furthermore,since the aPaaS system may be remotely hosted, it should also utilizesecurity procedures when it interacts with systems in the enterprise orthird-party networks and services hosted outside of the enterprise. Forexample, the aPaaS system may be configured to share data amongst theenterprise and other parties to detect and identify common securitythreats.

Other features, functionality, and advantages of an aPaaS system mayexist. This description is for purpose of example and is not intended tobe limiting.

As an example of the aPaaS development process, a software developer maybe tasked to create a new application using the aPaaS system. First, thedeveloper may define the data model, which specifies the types of datathat the application uses and the relationships therebetween. Then, viaa GUI of the aPaaS system, the developer enters (e.g., uploads) the datamodel. The aPaaS system automatically creates all of the correspondingdatabase tables, fields, and relationships, which can then be accessedvia an object-oriented services layer.

In addition, the aPaaS system can also build a fully-functional MVCapplication with client-side interfaces and server-side CRUD logic. Thisgenerated application may serve as the basis of further development forthe user. Advantageously, the developer does not have to spend a largeamount of time on basic application functionality. Further, since theapplication may be web-based, it can be accessed from anyInternet-enabled client device. Alternatively or additionally, a localcopy of the application may be able to be accessed, for instance, whenInternet service is not available.

The aPaaS system may also support a rich set of pre-definedfunctionality that can be added to applications. These features includesupport for searching, email, templating, workflow design, reporting,analytics, social media, scripting, mobile-friendly output, andcustomized GUIs.

The following embodiments describe architectural and functional aspectsof example aPaaS systems, as well as the features and advantagesthereof.

II. Example Computing Devices and Cloud-Based Computing Environments

FIG. 1 is a simplified block diagram exemplifying a computing device100, illustrating some of the components that could be included in acomputing device arranged to operate in accordance with the embodimentsherein. Computing device 100 could be a client device (e.g., a deviceactively operated by a user), a server device (e.g., a device thatprovides computational services to client devices), or some other typeof computational platform. Some server devices may operate as clientdevices from time to time in order to perform particular operations.

In this example, computing device 100 includes processor(s) 102(referred to as “processor 102” for sake of simplicity), memory 104,network interface(s) 106, and an input/output unit 108, all of which maybe coupled by a system bus 110 or a similar mechanism. In someembodiments, computing device 100 may include other components and/orperipheral devices (e.g., detachable storage, printers, and so on).

Processor 102 may be any type of computer processing unit, such as acentral processing unit (CPU), a co-processor (e.g., a mathematics,graphics, or encryption co-processor), a digital signal processor (DSP),a network processor, and/or a form of integrated circuit or controllerthat performs processor operations. In some cases, processor 102 may bea single-core processor, and in other cases, processor 102 may be amulti-core processor with multiple independent processing units.Processor 102 may also include register memory for temporarily storinginstructions being executed and related data, as well as cache memoryfor temporarily storing recently-used instructions and data.

Memory 104 may be any form of computer-usable memory, including but notlimited to register memory and cache memory (which may be incorporatedinto processor 102), as well as random access memory (RAM), read-onlymemory (ROM), and non-volatile memory (e.g., flash memory, hard diskdrives, solid state drives, compact discs (CDs), digital video discs(DVDs), and/or tape storage). Other types of memory may includebiological memory.

Memory 104 may store program instructions and/or data on which programinstructions may operate. By way of example, memory 104 may store theseprogram instructions on a non-transitory, computer-readable medium, suchthat the instructions are executable by processor 102 to carry out anyof the methods, processes, or operations disclosed in this specificationor the accompanying drawings.

As shown in FIG. 1, memory 104 may include firmware 104A, kernel 104B,and/or applications 104C. Firmware 104A may be program code used to bootor otherwise initiate some or all of computing device 100. Kernel 104Bmay be an operating system, including modules for memory management,scheduling and management of processes, input/output, and communication.Kernel 104B may also include device drivers that allow the operatingsystem to communicate with the hardware modules (e.g., memory units,networking interfaces, ports, and busses), of computing device 100.Applications 104C may be one or more user-space software programs, suchas web browsers or email clients, as well as any software libraries usedby these programs.

Network interface(s) 106 may take the form of a wireline interface, suchas Ethernet (e.g., Fast Ethernet, Gigabit Ethernet, and so on). Networkinterface(s) 106 may also support communication over non-Ethernet media,such as coaxial cables or power lines, or over wide-area media, such asSynchronous Optical Networking (SONET) or digital subscriber line (DSL)technologies. Network interface(s) 106 may also take the form of awireless interface, such as IEEE 802.11 (Wifi), BLUETOOTH®, globalpositioning system (GPS), or a wide-area wireless interface. However,other forms of physical layer interfaces and other types of standard orproprietary communication protocols may be used over networkinterface(s) 106. Furthermore, network interface(s) 106 may comprisemultiple physical interfaces. For instance, some embodiments ofcomputing device 100 may include Ethernet, BLUETOOTH®, and Wifiinterfaces.

Input/output unit 108 may facilitate user and peripheral deviceinteraction with example computing device 100. Input/output unit 108 mayinclude one or more types of input devices, such as a keyboard, a mouse,a touch screen, and so on. Similarly, input/output unit 108 may includeone or more types of output devices, such as a screen, monitor, printer,and/or one or more light emitting diodes (LEDs). Additionally oralternatively, computing device 100 may communicate with other devicesusing a universal serial bus (USB) or high-definition multimediainterface (HDMI) port interface, for example.

In some embodiments, one or more instances of computing device 100 maybe deployed to support an aPaaS architecture. The exact physicallocation, connectivity, and configuration of these computing devices maybe unknown and/or unimportant to client devices. Accordingly, thecomputing devices may be referred to as “cloud-based” devices that maybe housed at various remote data center locations.

FIG. 2 depicts a cloud-based server cluster 200 in accordance withexample embodiments. In FIG. 2, operations of a computing device (e.g.,computing device 100) may be distributed between server devices 202,data storage 204, and routers 206, all of which may be connected bylocal cluster network 208. The number of server devices 202, datastorages 204, and routers 206 in server cluster 200 may depend on thecomputing task(s) and/or applications assigned to server cluster 200.

For example, server devices 202 can be configured to perform variouscomputing tasks of computing device 100. Thus, computing tasks can bedistributed among one or more of server devices 202. To the extent thatthese computing tasks can be performed in parallel, such a distributionof tasks may reduce the total time to complete these tasks and return aresult. For purpose of simplicity, both server cluster 200 andindividual server devices 202 may be referred to as a “server device.”This nomenclature should be understood to imply that one or moredistinct server devices, data storage devices, and cluster routers maybe involved in server device operations.

Data storage 204 may be data storage arrays that include drive arraycontrollers configured to manage read and write access to groups of harddisk drives and/or solid state drives. The drive array controllers,alone or in conjunction with server devices 202, may also be configuredto manage backup or redundant copies of the data stored in data storage204 to protect against drive failures or other types of failures thatprevent one or more of server devices 202 from accessing units ofcluster data storage 204. Other types of memory aside from drives may beused.

Routers 206 may include networking equipment configured to provideinternal and external communications for server cluster 200. Forexample, routers 206 may include one or more packet-switching and/orrouting devices (including switches and/or gateways) configured toprovide (i) network communications between server devices 202 and datastorage 204 via cluster network 208, and/or (ii) network communicationsbetween the server cluster 200 and other devices via communication link210 to network 212.

Additionally, the configuration of cluster routers 206 can be based atleast in part on the data communication requirements of server devices202 and data storage 204, the latency and throughput of the localcluster network 208, the latency, throughput, and cost of communicationlink 210, and/or other factors that may contribute to the cost, speed,fault-tolerance, resiliency, efficiency and/or other design goals of thesystem architecture.

As a possible example, data storage 204 may include any form ofdatabase, such as a structured query language (SQL) database. Varioustypes of data structures may store the information in such a database,including but not limited to tables, arrays, lists, trees, and tuples.Furthermore, any databases in data storage 204 may be monolithic ordistributed across multiple physical devices.

Server devices 202 may be configured to transmit data to and receivedata from cluster data storage 204. This transmission and retrieval maytake the form of SQL queries or other types of database queries, and theoutput of such queries, respectively. Additional text, images, video,and/or audio may be included as well. Furthermore, server devices 202may organize the received data into web page representations. Such arepresentation may take the form of a markup language, such as thehypertext markup language (HTML), the extensible markup language (XML),or some other standardized or proprietary format. Moreover, serverdevices 202 may have the capability of executing various types ofcomputerized scripting languages, such as but not limited to Perl,Python, PHP Hypertext Preprocessor (PHP), Active Server Pages (ASP),JavaScript, and so on. Computer program code written in these languagesmay facilitate the providing of web pages to client devices, as well asclient device interaction with the web pages.

III. Example Remote Network Management Architecture

FIG. 3 depicts a remote network management architecture, in accordancewith example embodiments. This architecture includes three maincomponents, managed network 300, remote network management platform 320,and third-party networks 340, all connected by way of Internet 350.

Managed network 300 may be, for example, an enterprise network used by abusiness for computing and communications tasks, as well as storage ofdata. Thus, managed network 300 may include various client devices 302,server devices 304, routers 306, virtual machines 308, firewall 310,and/or proxy servers 312. Client devices 302 may be embodied bycomputing device 100, server devices 304 may be embodied by computingdevice 100 or server cluster 200, and routers 306 may be any type ofrouter, switch, or gateway.

Virtual machines 308 may be embodied by one or more of computing device100 or server cluster 200. In general, a virtual machine is an emulationof a computing system, and mimics the functionality (e.g., processor,memory, and communication resources) of a physical computer. Onephysical computing system, such as server cluster 200, may support up tothousands of individual virtual machines. In some embodiments, virtualmachines 308 may be managed by a centralized server device orapplication that facilitates allocation of physical computing resourcesto individual virtual machines, as well as performance and errorreporting. Enterprises often employ virtual machines in order toallocate computing resources in an efficient, as needed fashion.Providers of virtualized computing systems include VMWARE® andMICROSOFT®.

Firewall 310 may be one or more specialized routers or server devicesthat protect managed network 300 from unauthorized attempts to accessthe devices and services therein, while allowing authorizedcommunication that is initiated from managed network 300. Firewall 310may also provide intrusion detection, web filtering, virus scanning,application-layer gateways, and other services. In some embodiments notshown in FIG. 3, managed network 300 may include one or more virtualprivate network (VPN) gateways with which it communicates with remotenetwork management platform 320 (see below).

Managed network 300 may also include one or more proxy servers 312. Anembodiment of proxy servers 312 may be a server device that facilitatescommunication and movement of data between managed network 300, remotenetwork management platform 320, and third-party networks 340. Inparticular, proxy servers 312 may be able to establish and maintainsecure communication sessions with one or more customer instances ofremote network management platform 320. By way of such a session, remotenetwork management platform 320 may be able to discover and manageaspects of the architecture and configuration of managed network 300 andits components. Possibly with the assistance of proxy servers 312,remote network management platform 320 may also be able to discover andmanage aspects of third-party networks 340 that are used by managednetwork 300.

Firewalls, such as firewall 310, typically deny all communicationsessions that are incoming by way of Internet 350, unless such a sessionwas ultimately initiated from behind the firewall (i.e., from a deviceon managed network 300) or the firewall has been explicitly configuredto support the session. By placing proxy servers 312 behind firewall 310(e.g., within managed network 300 and protected by firewall 310), proxyservers 312 may be able to initiate these communication sessions throughfirewall 310. Thus, firewall 310 might not have to be specificallyconfigured to support incoming sessions from remote network managementplatform 320, thereby avoiding potential security risks to managednetwork 300.

In some cases, managed network 300 may consist of a few devices and asmall number of networks. In other deployments, managed network 300 mayspan multiple physical locations and include hundreds of networks andhundreds of thousands of devices. Thus, the architecture depicted inFIG. 3 is capable of scaling up or down by orders of magnitude.

Furthermore, depending on the size, architecture, and connectivity ofmanaged network 300, a varying number of proxy servers 312 may bedeployed therein. For example, each one of proxy servers 312 may beresponsible for communicating with remote network management platform320 regarding a portion of managed network 300. Alternatively oradditionally, sets of two or more proxy servers may be assigned to sucha portion of managed network 300 for purposes of load balancing,redundancy, and/or high availability.

Remote network management platform 320 is a hosted environment thatprovides aPaaS services to users, particularly to the operators ofmanaged network 300. These services may take the form of web-basedportals, for instance. Thus, a user can securely access remote networkmanagement platform 320 from, for instance, client devices 302, orpotentially from a client device outside of managed network 300. By wayof the web-based portals, users may design, test, and deployapplications, generate reports, view analytics, and perform other tasks.

As shown in FIG. 3, remote network management platform 320 includes fourcustomer instances 322, 324, 326, and 328. Each of these instances mayrepresent a set of web portals, services, and applications (e.g., awholly-functioning aPaaS system) available to a particular customer. Insome cases, a single customer may use multiple customer instances. Forexample, managed network 300 may be an enterprise customer of remotenetwork management platform 320, and may use customer instances 322,324, and 326. The reason for providing multiple instances to onecustomer is that the customer may wish to independently develop, test,and deploy its applications and services. Thus, customer instance 322may be dedicated to application development related to managed network300, customer instance 324 may be dedicated to testing theseapplications, and customer instance 326 may be dedicated to the liveoperation of tested applications and services.

The multi-instance architecture of remote network management platform320 is in contrast to conventional multi-tenant architectures, overwhich multi-instance architectures have several advantages. Inmulti-tenant architectures, data from different customers (e.g.,enterprises) are comingled in a single database. While these customers'data are separate from one another, the separation is enforced by thesoftware that operates the single database. As a consequence, a securitybreach in this system may impact all customers' data, creatingadditional risk, especially for entities subject to governmental,healthcare, and/or financial regulation. Furthermore, any databaseoperations that impact one customer will likely impact all customerssharing that database. Thus, if there is an outage due to hardware orsoftware errors, this outage affects all such customers. Likewise, ifthe database is to be upgraded to meet the needs of one customer, itwill be unavailable to all customers during the upgrade process. Often,such maintenance windows will be long, due to the size of the shareddatabase

In contrast, the multi-instance architecture provides each customer withits own database in a dedicated computing instance. This preventscomingling of customer data, and allows each instance to beindependently managed. For example, when one customer's instanceexperiences an outage due to errors or an upgrade, other customerinstances are not impacted. Maintenance down time is limited because thedatabase only contains one customer's data. Further, the simpler designof the multi-instance architecture allows redundant copies of eachcustomer database and instance to be deployed in a geographicallydiverse fashion. This facilitates high availability, where the liveversion of the customer's instance can be moved when faults are detectedor maintenance is being performed.

In order to support multiple customer instances in an efficient fashion,remote network management platform 320 may implement a plurality ofthese instances on a single hardware platform. For example, when theaPaaS system is implemented on a server cluster such as server cluster200, it may operate a virtual machine that dedicates varying amounts ofcomputational, storage, and communication resources to instances. Butfull virtualization of server cluster 200 might not be necessary, andother mechanisms may be used to separate instances. In some examples,each instance may have a dedicated account and one or more dedicateddatabases on server cluster 200. Alternatively, customer instance 322may span multiple physical devices.

In some cases, a single server cluster of remote network managementplatform 320 may support multiple independent enterprises. Furthermore,as described below, remote network management platform 320 may includemultiple server clusters deployed in geographically diverse data centersin order to facilitate load balancing, redundancy, and/or highavailability.

Third-party networks 340 may be remote server devices (e.g., a pluralityof server clusters such as server cluster 200) that can be used foroutsourced computational, data storage, communication, and servicehosting operations. These servers may be virtualized (i.e., the serversmay be virtual machines). Examples of third-party networks 340 mayinclude AMAZON WEB SERVICES® and MICROSOFT® Azure. Like remote networkmanagement platform 320, multiple server clusters supporting third-partynetworks 340 may be deployed at geographically diverse locations forpurposes of load balancing, redundancy, and/or high availability.

Managed network 300 may use one or more of third-party networks 340 todeploy services to its clients and customers. For instance, if managednetwork 300 provides online music streaming services, third-partynetworks 340 may store the music files and provide web interface andstreaming capabilities. In this way, the enterprise of managed network300 does not have to build and maintain its own servers for theseoperations.

Remote network management platform 320 may include modules thatintegrate with third-party networks 340 to expose virtual machines andmanaged services therein to managed network 300. The modules may allowusers to request virtual resources and provide flexible reporting forthird-party networks 340. In order to establish this functionality, auser from managed network 300 might first establish an account withthird-party networks 340, and request a set of associated resources.Then, the user may enter the account information into the appropriatemodules of remote network management platform 320. These modules maythen automatically discover the manageable resources in the account, andalso provide reports related to usage, performance, and billing.

Internet 350 may represent a portion of the global Internet. However,Internet 350 may alternatively represent a different type of network,such as a private wide-area or local-area packet-switched network.

FIG. 4 further illustrates the communication environment between managednetwork 300 and customer instance 322, and introduces additionalfeatures and alternative embodiments. In FIG. 4, customer instance 322is replicated across data centers 400A and 400B. These data centers maybe geographically distant from one another, perhaps in different citiesor different countries. Each data center includes support equipment thatfacilitates communication with managed network 300, as well as remoteusers.

In data center 400A, network traffic to and from external devices flowseither through VPN gateway 402A or firewall 404A. VPN gateway 402A maybe peered with VPN gateway 412 of managed network 300 by way of asecurity protocol such as Internet Protocol Security (IPSEC). Firewall404A may be configured to allow access from authorized users, such asuser 414 and remote user 416, and to deny access to unauthorized users.By way of firewall 404A, these users may access customer instance 322,and possibly other customer instances. Load balancer 406A may be used todistribute traffic amongst one or more physical or virtual serverdevices that host customer instance 322. Load balancer 406A may simplifyuser access by hiding the internal configuration of data center 400A,(e.g., customer instance 322) from client devices. For instance, ifcustomer instance 322 includes multiple physical or virtual computingdevices that share access to multiple databases, load balancer 406A maydistribute network traffic and processing tasks across these computingdevices and databases so that no one computing device or database issignificantly busier than the others. In some embodiments, customerinstance 322 may include VPN gateway 402A, firewall 404A, and loadbalancer 406A.

Data center 400B may include its own versions of the components in datacenter 400A. Thus, VPN gateway 402B, firewall 404B, and load balancer406B may perform the same or similar operations as VPN gateway 402A,firewall 404A, and load balancer 406A, respectively. Further, by way ofreal-time or near-real-time database replication and/or otheroperations, customer instance 322 may exist simultaneously in datacenters 400A and 400B.

Data centers 400A and 400B as shown in FIG. 4 may facilitate redundancyand high availability. In the configuration of FIG. 4, data center 400Ais active and data center 400B is passive. Thus, data center 400A isserving all traffic to and from managed network 300, while the versionof customer instance 322 in data center 400B is being updated innear-real-time. Other configurations, such as one in which both datacenters are active, may be supported.

Should data center 400A fail in some fashion or otherwise becomeunavailable to users, data center 400B can take over as the active datacenter. For example, domain name system (DNS) servers that associate adomain name of customer instance 322 with one or more Internet Protocol(IP) addresses of data center 400A may re-associate the domain name withone or more IP addresses of data center 400B. After this re-associationcompletes (which may take less than one second or several seconds),users may access customer instance 322 by way of data center 400B.

FIG. 4 also illustrates a possible configuration of managed network 300.As noted above, proxy servers 312 and user 414 may access customerinstance 322 through firewall 310. Proxy servers 312 may also accessconfiguration items 410. In FIG. 4, configuration items 410 may refer toany or all of client devices 302, server devices 304, routers 306, andvirtual machines 308, any applications, programs, or services executingthereon, as well as relationships between devices and services. Thus,the term “configuration items” may be shorthand for any physical orvirtual device or service remotely discoverable or managed by customerinstance 322, or relationships between discovered devices and services.Configuration items may be represented in a configuration managementdatabase (CMDB) of customer instance 322.

As noted above, VPN gateway 412 may provide a dedicated VPN to VPNgateway 402A. Such a VPN may be helpful when there is a significantamount of traffic between managed network 300 and customer instance 322,or security policies otherwise suggest or require use of a VPN betweenthese sites. In some embodiments, any device in managed network 300and/or customer instance 322 that directly communicates via the VPN isassigned a public IP address. Other devices in managed network 300and/or customer instance 322 may be assigned private IP addresses (e.g.,IP addresses selected from the 10.0.0.0-10.255.255.255 or192.168.0.0-192.168.255.255 ranges, represented in shorthand as subnets10.0.0.0/8 and 192.168.0.0/16, respectively).

IV. Example Device and Service Discovery

In order for remote network management platform 320 to administer thedevices and services of managed network 300, remote network managementplatform 320 may first determine what devices are present in managednetwork 300, the configurations and operational statuses of thesedevices, and the services provided by the devices, and well as therelationships between discovered devices and services. As noted above,each device, service, and relationship may be referred to as aconfiguration item. The process of defining configuration items withinmanaged network 300 is referred to as discovery, and may be facilitatedat least in part by proxy servers 312.

For purpose of the embodiments herein, a “service” may refer to aprocess, thread, application, program, server, or any other softwarethat executes on a device. A “service” may also refer to a high-levelcapability provided by multiple processes, threads, applications,programs, and/or servers on one or more devices working in conjunctionwith one another. For example, a high-level web service may involvemultiple web application server threads executing on one device andaccessing information from a database service that executes on anotherdevice. The distinction between different types or levels of servicesmay depend upon the context in which they are presented.

FIG. 5A provides a logical depiction of how configuration items can bediscovered, as well as how information related to discoveredconfiguration items can be stored. For sake of simplicity, remotenetwork management platform 320, third-party networks 340, and Internet350 are not shown.

In FIG. 5A, CMDB 500 and task list 502 are stored within customerinstance 322. Customer instance 322 may transmit discovery commands toproxy servers 312. In response, proxy servers 312 may transmit probes tovarious devices and services in managed network 300. These devices andservices may transmit responses to proxy servers 312, and proxy servers312 may then provide information regarding discovered configurationitems to CMDB 500 for storage therein. Configuration items stored inCMDB 500 represent the environment of managed network 300.

Task list 502 represents a list of activities that proxy servers 312 areto perform on behalf of customer instance 322. As discovery takes place,task list 502 is populated. Proxy servers 312 repeatedly query task list502, obtain the next task therein, and perform this task until task list502 is empty or another stopping condition has been reached.

To facilitate discovery, proxy servers 312 may be configured withinformation regarding one or more subnets in managed network 300 thatare reachable by way of proxy servers 312. For instance, proxy servers312 may be given the IP address range 192.168.0/24 as a subnet. Then,customer instance 322 may store this information in CMDB 500 and placetasks in task list 502 for discovery of devices at each of theseaddresses.

FIG. 5A also depicts devices and services in managed network 300 asconfiguration items 504, 506, 508, 510, and 512. As noted above, theseconfiguration items represent a set of physical and/or virtual devices(e.g., client devices, server devices, routers, or virtual machines),services executing thereon (e.g., web servers, email servers, databases,or storage arrays), relationships therebetween, as well as higher-levelservices that involve multiple individual configuration items.

Placing the tasks in task list 502 may trigger or otherwise cause proxyservers 312 to begin discovery. Alternatively or additionally, discoverymay be manually triggered or automatically triggered based on triggeringevents (e.g., discovery may automatically begin once per day at aparticular time).

In general, discovery may proceed in four logical phases: scanning,classification, identification, and exploration. Each phase of discoveryinvolves various types of probe messages being transmitted by proxyservers 312 to one or more devices in managed network 300. The responsesto these probes may be received and processed by proxy servers 312, andrepresentations thereof may be transmitted to CMDB 500. Thus, each phasecan result in more configuration items being discovered and stored inCMDB 500.

In the scanning phase, proxy servers 312 may probe each IP address inthe specified range of IP addresses for open Transmission ControlProtocol (TCP) and/or User Datagram Protocol (UDP) ports to determinethe general type of device. The presence of such open ports at an IPaddress may indicate that a particular application is operating on thedevice that is assigned the IP address, which in turn may identify theoperating system used by the device. For example, if TCP port 135 isopen, then the device is likely executing a WINDOWS® operating system.Similarly, if TCP port 22 is open, then the device is likely executing aUNIX® operating system, such as LINUX®. If UDP port 161 is open, thenthe device may be able to be further identified through the SimpleNetwork Management Protocol (SNMP). Other possibilities exist. Once thepresence of a device at a particular IP address and its open ports havebeen discovered, these configuration items are saved in CMDB 500.

In the classification phase, proxy servers 312 may further probe eachdiscovered device to determine the version of its operating system. Theprobes used for a particular device are based on information gatheredabout the devices during the scanning phase. For example, if a device isfound with TCP port 22 open, a set of UNIX®-specific probes may be used.Likewise, if a device is found with TCP port 135 open, a set ofWINDOWS®-specific probes may be used. For either case, an appropriateset of tasks may be placed in task list 502 for proxy servers 312 tocarry out. These tasks may result in proxy servers 312 logging on, orotherwise accessing information from the particular device. Forinstance, if TCP port 22 is open, proxy servers 312 may be instructed toinitiate a Secure Shell (SSH) connection to the particular device andobtain information about the operating system thereon from particularlocations in the file system. Based on this information, the operatingsystem may be determined. As an example, a UNIX® device with TCP port 22open may be classified as AIX®, HPUX, LINUX®, MACOS®, or SOLARIS®. Thisclassification information may be stored as one or more configurationitems in CMDB 500.

In the identification phase, proxy servers 312 may determine specificdetails about a classified device. The probes used during this phase maybe based on information gathered about the particular devices during theclassification phase. For example, if a device was classified as LINUX®,as a set of LINUX®-specific probes may be used. Likewise if a device wasclassified as WINDOWS® 2012, as a set of WINDOWS®-2012-specific probesmay be used. As was the case for the classification phase, anappropriate set of tasks may be placed in task list 502 for proxyservers 312 to carry out. These tasks may result in proxy servers 312reading information from the particular device, such as basicinput/output system (BIOS) information, serial numbers, networkinterface information, media access control address(es) assigned tothese network interface(s), IP address(es) used by the particular deviceand so on. This identification information may be stored as one or moreconfiguration items in CMDB 500.

In the exploration phase, proxy servers 312 may determine furtherdetails about the operational state of a classified device. The probesused during this phase may be based on information gathered about theparticular devices during the classification phase and/or theidentification phase. Again, an appropriate set of tasks may be placedin task list 502 for proxy servers 312 to carry out. These tasks mayresult in proxy servers 312 reading additional information from theparticular device, such as processor information, memory information,lists of running processes (services), and so on. Once more, thediscovered information may be stored as one or more configuration itemsin CMDB 500.

Running discovery on a network device, such as a router, may utilizeSNMP. Instead of or in addition to determining a list of runningprocesses or other application-related information, discovery maydetermine additional subnets known to the router and the operationalstate of the router's network interfaces (e.g., active, inactive, queuelength, number of packets dropped, etc.). The IP addresses of theadditional subnets may be candidates for further discovery procedures.Thus, discovery may progress iteratively or recursively.

Once discovery completes, a snapshot representation of each discovereddevice and service is available in CMDB 500. For example, afterdiscovery, operating system version, hardware configuration and networkconfiguration details for client devices, server devices, and routers inmanaged network 300, as well as services executing thereon, may bestored. This collected information may be presented to a user in variousways to allow the user to view the hardware composition and operationalstatus of devices, as well as the characteristics of services.

Furthermore, CMDB 500 may include entries regarding dependencies andrelationships between configuration items. More specifically, anapplication that is executing on a particular server device, as well asthe services that rely on this application, may be represented as suchin CMDB 500. For instance, suppose that a database application isexecuting on a server device, and that this database application is usedby a new employee onboarding service as well as a payroll service. Thus,if the server device is taken out of operation for maintenance, it isclear that the employee onboarding service and payroll service will beimpacted. Likewise, the dependencies and relationships betweenconfiguration items may be able to represent the services impacted whena particular router fails.

In general, dependencies and relationships between configuration itemsbe displayed on a web-based interface and represented in a hierarchicalfashion. Thus, adding, changing, or removing such dependencies andrelationships may be accomplished by way of this interface.

Furthermore, users from managed network 300 may develop workflows thatallow certain coordinated activities to take place across multiplediscovered devices. For instance, an IT workflow might allow the user tochange the common administrator password to all discovered LINUX®devices in single operation.

In order for discovery to take place in the manner described above,proxy servers 312, CMDB 500, and/or one or more credential stores may beconfigured with credentials for one or more of the devices to bediscovered. Credentials may include any type of information needed inorder to access the devices. These may include userid/password pairs,certificates, and so on. In some embodiments, these credentials may bestored in encrypted fields of CMDB 500. Proxy servers 312 may containthe decryption key for the credentials so that proxy servers 312 can usethese credentials to log on to or otherwise access devices beingdiscovered.

The discovery process is depicted as a flow chart in FIG. 5B. At block520, the task list in the customer instance is populated, for instance,with a range of IP addresses. At block 522, the scanning phase takesplace. Thus, the proxy servers probe the IP addresses for devices usingthese IP addresses, and attempt to determine the operating systems thatare executing on these devices. At block 524, the classification phasetakes place. The proxy servers attempt to determine the operating systemversion of the discovered devices. At block 526, the identificationphase takes place. The proxy servers attempt to determine the hardwareand/or software configuration of the discovered devices. At block 528,the exploration phase takes place. The proxy servers attempt todetermine the operational state and services executing on the discovereddevices. At block 530, further editing of the configuration itemsrepresenting the discovered devices and services may take place. Thisediting may be automated and/or manual in nature.

The blocks represented in FIG. 5B are for purpose of example. Discoverymay be a highly configurable procedure that can have more or fewerphases, and the operations of each phase may vary. In some cases, one ormore phases may be customized, or may otherwise deviate from theexemplary descriptions above.

V. Example Types of Credentials

The embodiments herein involve storage and use of various types ofcredentials to access computing devices and services on managednetworks, whether for purpose of discovery or other operations. Eachcredential type may refer to the content of the credential and/or how itis used. Some credentials are used with certain classes of computingdevices and/or services. For instance, SSH credentials may include auserid and a password, and may be used to access computing devicesexecuting a UNIX® operating system. Alternatively, SSH credentials maybe considered to be associated with the SSH service in general.

The following examples of credentials may be kept within a credentialstore (see below). These examples, however, are not comprehensive, andother types of credentials are possible. Each of these examples mayinclude a userid/password pair, a certificate, and/or any additionaldata described below.

Basic authentication credentials may be used during discovery or otherprocedures to access one or more computing devices on a managed network.Cloud-based services credentials may be used to access accounts onthird-party networks. Examples of cloud-based services credentialsinclude AMAZON WEB SERVICES® and MICROSOFT® Azure account information,such as access keys. JAVA® database connectivity (JDBC®) credentials maybe used to access databases from JAVA® applications. Particularly, JDBC®defines a set of APIs through which such databases can be queried andupdated. JAVA® message service (JMS) credentials may be used to send andreceive messages between JAVA® applications. Particularly, JMS defines aset of roles for messaging participants and APIs through which theparticipants may communicate. SNMP credentials may be used to accessnetworked devices, typically other than client devices and serverdevices. Thus, in some embodiments, routers and printers may offer SNMPinterfaces for monitoring, configuration, and operational purposes. Asnoted above, SSH credentials may be used to remotely access certaintypes of computing devices (e.g., those executing a variation of theUNIX® operating system). In addition to a userid/password pair, SSHcredentials may include a passphrase and a private key. WINDOWS®credentials may be used to remotely access computing devices that areexecuting the WINDOWS® operating system (e.g., by way of the POWERSHELL®application).

Any of the credential types above, or any other type of credential, maybe stored in a table with additional fields. These additional fields mayinclude a name for displaying to the user, an indication of whether thecredential is active, a label that refers to a specific activity forwhich the credential is to be used, a priority of the credential amongstcredentials of the same type, and whether the credential is storedexternally (e.g., somewhere other than in a customer instance).

The label field may be used to identify credentials that should be usedfor a specific task. For instance, a computing device may have two setsof credentials associated with it: regular credentials and rootcredentials. Logging in to the computing device with the rootcredentials may be necessary if the computing device is to be rebooted,as the regular credentials might not be authorized to carry out thisactivity. Thus, the root credentials may be associated with a label of“root” so that they can be distinguished as such for higher-level tasks.

The priority field may be used to provide a relative ordering ofcredentials amongst other credentials of the same type. As one possibleexample, the priority field may be a number between 0 and 100,inclusive, with higher numbers representing higher priorities. Forinstance, if there are four different SSH credentials in the credentialstore, one may be assigned a priority of 100, another the priority of90, and the final two a default priority of 0. In this arrangement, whenan SSH credential is needed for access to a computing device, thecredential with the priority of 100 may be tried first. If access failswith that credential, the credential with the priority of 90 may betried. If access fails with that credential, the two credentials withpriorities of 0 may tried in random order.

The external storage field may be populated with the address oridentifier of a secure storage location of the credentials when thosecredentials are not located within the customer instance. For instance,some managed networks may maintain a secure storage location containingsome or all of their credentials. Doing so may provide an extra layer ofsecurity, as the credentials are not stored in the customer instanceexcept in a transitory fashion.

Regardless of its arrangement, the password fields, and perhaps theuserid fields, may be encrypted in the credential store. For instance,computing devices on the customer instance may share an instance keythat can be used to decrypt encrypted fields. The instance key may beused to decrypt encrypted data within a particular customer instance. Inthis manner, access to the credentials can be limited to individuals anddevices with the appropriate authorization.

VI. Example Credential Acquisition

FIG. 6A depicts a logical arrangement of network components, not unlikethat of FIG. 5A. Managed network 300 includes proxy servers 312, as wellas UNIX® servers 600, 602, and 604, and client device 606. Customerinstance 322 includes credential store 608 and server device 610. Otherelements, such as firewalls and tasks lists, are omitted for purpose ofsimplicity.

UNIX® servers 600, 602, and 604 may be physical or virtual serverdevices that execute a variation of the UNIX® operating system. Thesedevices may be remotely accessible by way of SSH. Client device 606 maybe any type of computing device (e.g., a desktop or laptop computer)that a user operates to remotely manage UNIX® servers 600, 602, and 604.

Credential store 608 may be a database or another arrangement ofinformation that includes one or more sets of credentials. In someembodiments, credential store 608 may be part of CMDB 500. As notedabove, the credentials stored in credential store 608 may be encrypted.Some or all credentials for customer instance 322 may be placed incredential store 608. In this way, the credentials are in oneplace—possibly a single unified database table wherein each recordrefers to a specific credential.

Server device 610 may be a physical or virtual computing device thatperforms various operations within customer instance 322. For instance,server device 610 may include program logic that operates MVCapplications. This logic may retrieve data from a CMDB (e.g., CMDB 500)and display representations of this data on a web-based GUI. In somecases, this GUI may represent UNIX® servers 600, 602, and 604, andthrough the GUI a user at client device 606 may be able to triggeroperations that impact one or more of these server devices.Alternatively, server device 610 may automatically trigger suchoperations.

To that point, FIG. 6B illustrates an example operation, and inparticular how credentials are used to support the operation. Theoperation involves client device 606 accessing a server device 610, andcausing server device 610 to instruct proxy servers 312 to remotelyaccess UNIX® server 600.

At step 620, client device 606 may trigger an activity on server device610. For example, by way of a web-based GUI, the user of client device606 may instruct server device 610 to reboot UNIX® server 600.

At step 622, server device 610 may transmit, to proxy servers 312, anaccess command containing an endpoint identifier of UNIX® server 600(e.g., a domain name or IP address) and an indication of a service(e.g., SSH). This access command may instruct proxy servers 312 to causea reboot of UNIX® server 600. The reboot may be caused by proxy servers312 remotely logging on to UNIX® server 600 by way of SSH, and issuing acommand line instruction to initiate the reboot. If special SSHcredential credentials (e.g., root credentials) are needed to do so, andthese credentials are associated with a label, the label may be includedin the command.

After receiving the command, at step 624, proxy servers 312 maydetermine that credentials are needed to remotely access UNIX® server600 so that the reboot can be carried out. For instance, proxy servers312 may access a credential cache to determine whether SSH credentialsfor UNIX® server 600 are stored at proxy servers 312.

Assuming that this is not the case, at step 626, proxy servers 312 maytransmit a request to credential store 608. This request may specifythat SSH credentials are desired, and may include a label.

At step 628, credential store 608 may look up the requested credentials.If multiple SSH credentials are found and a label is not specified inthe request, the SSH credentials with the highest priority may beselected. If a label is specified in the request, the SSH credentialsassociated with the label and having the highest priority may beselected. As noted above, if multiple credentials with the same priorityfit the selection criteria, one of these credentials may be randomlyselected.

At step 630, credential store 608 may transmit, to proxy servers 312,the selected credentials in a response. At step 632, proxy servers 312may attempt to remotely access UNIX® server 600. If this remote accessfails, proxy servers 312 may request, from credential store 608, anotherset of credentials fitting the selection criteria. In this fashion,multiple attempts to access UNIX® server 600 using different sets ofcredentials may take place until the proper set of credentials is found,or all credentials fitting the selection criteria are exhausted.Alternatively, the response of step 630 may include a list ofcredentials, and proxy servers 312 may iterate through this listattempting to access UNIX® server 600 with these credentials untileither a set of credentials works or the list is exhausted.

As noted above, the remote access at step 632 may involve proxy servers312 logging on to UNIX® server 600 by way of SSH and issuing a commandline that causes UNIX® server 600 to reboot. However, the processillustrated in FIG. 6B may be used for other types of remote accessactivities.

At step 634, proxy servers 312 may cache the credentials that weresuccessfully used to remotely access UNIX® server 600. These credentialsmay be temporarily stored in proxy servers 312 with a reference to anendpoint identifier (e.g., a domain name or IP address) of UNIX® server600. When stored in this fashion, the credentials may be said to have an“affinity” to UNIX® server 600, and may be used in future remoteaccesses. Particularly, proxy servers 312 may be able to remotely accessUNIX® server 600 (e.g., by way of SSH) without requesting credentialsfrom credential store 608 as long as the credentials are cached.

Security of credentials used in this fashion may be facilitated byencryption. In some embodiments, computing devices within customerinstance 322 may share an instance key that can be used to encryptand/or decrypt fields in CMDB 500 or credential store 608. Thus, whencredentials are entered into credential store 608 (e.g., by a userlogged into server device 610 while operating client device 606), partor all of these credentials may be encrypted with the instance key. Inthis way, the credentials cannot be viewed by any entity that has accessto credential store 608, but lacks the instance key.

When credentials are transmitted from credential store 608, such as atstep 630, the instance key may be used to decrypt the credentials priorto transmission. Proxy servers 312 and credential store 608 may share asession key for securing credentials transmitted therebetween (in somecases, the session key may be used by some other component of customerinstance 322, such as server device 610 or a load balancer that managesnetwork traffic between managed network 300 and customer instance 322).In any event, part or all of the credentials may be re-encrypted withthe session key then transmitted to proxy servers 312. In somevariations, the credentials may first be encrypted with a public key ofproxy servers 312, and then encrypted again with the session key. Inthese variations, proxy servers 312 first decrypt the credentials withthe session key then once again with their private key. The private keyand public key may be a cryptographic pair such that cryptographictransformations performed using one can be reversed by cryptographictransformations performed using the other.

Proxy servers 312 may also store the received credentials in anencrypted form, but can decrypt the credentials for use. Regardless ofexactly how these transactions are carried out, proxy server devices ina managed network can securely obtain credentials to remotely accesscomputing devices on the managed network. Such a capability facilitatesa wide range of high-level services.

For instance, the discovery service described above may rely upon thissecure obtaining of credentials. As an example, proxy servers 312 mayseek to discover the configuration and operational characteristics ofUNIX® server 600 (which is not known to be a UNIX® server until at leastpart of discovery takes place). Thus, during the classification phase,proxy servers 312 may use the obtained credentials to probe UNIX® server600 to determine its operating system. Furthermore, during theidentification phase, proxy servers 312 may use the obtained credentialsto probe UNIX® server 600 to determine the hardware and networkingconfiguration of UNIX® server 600. Additionally, during the explorationphase, proxy servers 312 may use the obtained credentials to probe UNIX®server 600 to determine, for example, applications, processes, and/orservices executing on UNIX® server 600.

But the obtained credentials may be used for a wide variety ofadditional tasks. As noted above, these tasks may be referred to as“orchestrations,” and may involve scripts or other program logicexecuting on a server device in customer instance 322 (e.g., serverdevice 610), and carrying out activities. As one possible example, anorchestration may involve changing a common password on a set of LINUX®server devices. The common password may be an administrative orapplication password that is periodically changed (e.g., every 60, 90,or 120 days) in order to minimize risk in the event that the passwordbecomes known to unauthorized parties. If the set contains more than afew server devices (e.g., if the set includes dozens of server devices),then manually changing the password on all of these server devices maybe a time-consuming and error-prone task. However, by way of anorchestration script, the credentials for these server devices can beobtained by proxy servers 312, and proxy servers 312 can carry out thesechanges. Furthermore, the orchestration script can be configured toautomatically run on a periodic basis or from time to time so that thesesecurity procedures do not need to be manually triggered.

Another possible orchestration example is the onboarding of newemployees at an enterprise. When a new employee is hired, informationabout this employee may need to be entered into a number of computingsystems in order for that employee to effectively carry out his or herjob and be appropriately compensated. For instance, the employee mayneed to be set up with an enterprise network account for access toshared file systems, and an email account for communication. Further,the employee may need to be granted access to supply chain computingsystems, as well as entered into finance and HR computing systems. Eachof these activities may be carried out by different departments of theenterprise (e.g., IT, supply chain, finance, and HR, respectively). Butwith orchestration scripts executing in the customer instance, all ofthese activities may be triggered by entering the new employee'sinformation in just one place.

Many other possible orchestrations exist. The embodiments herein are notlimited to the examples provided above.

Despite the advantages provided by the embodiments described above,there are some drawbacks as well. As noted above, a managed network maysimultaneously operate multiple customer instances at a remote networkmanagement platform. In some cases, one customer instance may bededicated to application development, another customer instance may bededicated to testing these applications, and yet another customerinstance may be dedicated to the production operation of testedapplications and services.

Each of these customer instances may use different sets of credentialsfor access to computing devices and services on the managed network.While the live operation instance may use the “true” credentials ofcomputing devices and services in products on the managed network, theother instances may use different sets of credentials for purposes ofapplication development and testing, and may also be developing andtesting services executing on different computing devices (e.g.,dedicated development or testbed environments).

Furthermore, even if credentials were shared between customer instances,the credentials in each instance are encrypted with that instance'sinstance key. Thus, in order to transfer credentials between instances,they would either exist in an unencrypted state for a period of time, orinstance keys would be shared between instances. The former would reducesecurity and increase the risk that these credentials could becompromised. The latter would allow users with access to development andtesting instances to be able to decrypt credentials used in theproduction environment, again reducing security and increasing the riskthat these credentials could be compromised.

As a consequence, it is desirable to maintain different sets ofcredentials for each customer instance, and to not allow users only withaccess to particular instances be able to obtain credentials fromanother instance. Thus, the computing devices, services, and associatedcredentials that a particular orchestration uses may be different fromcustomer instance to customer instance even when the same managednetwork is using each of these customer instances. This results in thecredential store in a production instance possibly having to be updatedeach time a new computing device, service, or orchestration is deployedfrom the development instance or testing instance to the productioninstance. Furthermore, the program logic of the orchestration scriptsmay need to be modified to accommodate the change in computing devicesand associated credentials. Thus, transitioning orchestrations from oneinstance to another can be a time consuming and error-prone process.

Moreover, a credential store may maintain multiple sets of credentialsper service (e.g., 10 SSH credentials). Until an affinity is foundbetween the service executing on a particular computing device and aparticular set of credentials, multiple sets of credentials may be usedin attempts to access the particular computing device. In some cases,this may cause the particular computing device to lock out one or moreaccounts from using the service, as unsuccessful access attempts mayappear to be a hacking effort.

The solutions herein involve using labels to identify not onlycredentials, but logical endpoints as well. Such an endpoint may be anIP address or URL that uniquely identifies a particular computingdevice. Furthermore, an endpoint may be specified as a range of IPaddresses (e.g., 10.10.10/8) when a number of computing devices on oneor more subnets share the same credentials for specific services.

TABLE 1

ame Label Endpoint Service Userid

LINUX- 192.168.1.128/25 SSH root red1 ROOT

LINUX- 192.168.1.128/25 SSH it-help red2 NONPRIV

LINUX- SSH webadmin red3 WEB

LINUX-SQL SSH sqluser red4

WINDOWS- 192.168.1.0/24 WINDOWS admin red5 SHELL

JDBC-A jdbc:mysql://example.com/db-a JDBC sql red6

JDBC-B jdbc:mysql://example.com/db-b JDBC sql red7

indicates data missing or illegible when filed

Table 1 illustrates some non-limiting examples of how these labels mightbe arranged. The data in Table 1 may be stored in a CMDB of a customerinstance. Other instances may store tables with the same labels butdifferent endpoints and credentials.

This solution address the problems described above. Notably,orchestrations can refer to labels rather than endpoints, and thereforedo not need to change when transitioned between instances. Also, byincluding endpoints in the credential records, affinity is built intothese records.

Table 1 assumes that the 192.168.1.0/24 subnet includes computingdevices executing the WINDOWS® operating system, and the192.168.1.128/25 range of this subnet includes computing devicesexecuting the LINUX® operating system. Other types of computing devicesmay be present throughout the subnet.

The LINUX® devices may be configured with the following accounts: a rootaccount with unlimited access, an it-help account with access limited tospecific IT administration tasks (e.g., starting and stoppingapplications, as well as obtaining system status), a webadmin accountwith access limited to managing a web server, and an sqluser accountwith access limited to managing a database. The WINDOWS® devices may beconfigured with a POWERSHELL® account for remote access, which isreferred to as the “WINDOWS” service. It is assumed that the LINUX®root, it-help, webadmin, and sqluser accounts, as well as the WINDOWS®POWERSHELL® account are possibly configured on multiple computingdevices of the respective operating system type.

The managed network also includes two JDBC® services at respective URLs.These URLS may refer to different services executing on the samephysical computing device, or to services executing on two differentcomputing devices.

Table 1 includes several columns that define the context of each set ofcredentials. The name column is a user-defined name that may have nosubstantive impact on credential operations. However, it may serve toprovide a convenient way for users to refer to different credentials.

The label column defines a label associated with each credential. Asnoted above, labels are not required. In order to use a label, the usermay first associate the label with a set of credentials in thecredential store, then use that label in an orchestration script. Theorchestration script may use the credential associated with the labelfor any activities marked with the label.

The endpoint column defines the optional endpoint with which thecredential is to be used. The format of the endpoint may be an IPaddress, URL, or any other type of endpoint identifier.

The service column defines the type of service, such as SSH, POWERSHELL®(“WINDOWS”), and JDBC®. Other services may be used.

The userid column defines the account name part of the credentials.Along with account names, credentials also may include passwords, whichare not shown in Table 1.

Another column that may be present in Table 1 is an active column thatdefines whether the credentials are active. Inactive credentials aredefined in the credential store but the credential store generally willnot provide them in response to a request for credentials.

Use of the entries in such a credential store is illustrated in FIG. 6C.Particularly, FIG. 6C illustrates a similar transaction as that of FIG.6B, except that a label is used.

At step 640, client device 606 may trigger an activity on server device610. For example, the user of client device 606 may instruct serverdevice 610 to remotely access UNIX® server 600. At step 642, serverdevice 610 may transmit, to proxy servers 312, an access commandcontaining a label and an indication of a service (e.g., SSH).Credential store 608 may have been preconfigured to associate the labelwith an endpoint identifier of UNIX® server 600 (e.g., a domain name orIP address).

After receiving the command, at step 644, proxy servers 312 maydetermine that the endpoint identifier and the credentials are needed toremotely access UNIX® server 600 so that the remote access can becarried out. For instance, proxy servers 312 may access a credentialcache to determine whether an endpoint identifier and/or SSH credentialsassociated with the label are stored at proxy servers 312. In someembodiments, credentials might not be available, and only the endpointidentifier is provided.

Assuming that this is not the case, at step 646, proxy servers 312 maytransmit a request to credential store 608. This request may specify thelabel and that the endpoint and its SSH credentials are desired.

At step 648, credential store 608 may look up the requested endpoint andcredentials using the label. At step 650, credential store 608 maytransmit, in a response to proxy servers 312, the endpoint identifier ofthe endpoint and the credentials. At step 652, proxy servers 312 mayattempt to remotely access UNIX® server 600 by way of the endpointidentifier and credentials.

At step 654, proxy servers 312 may cache the endpoint and credentialsthat were successfully used to remotely access UNIX® server 600. Thus,proxy servers 312 may be able to remotely access UNIX® server 600 againwithout requesting the endpoint and credentials from credential store608, for as long as the credentials are cached.

In embodiments in which an endpoint is not determined until runtime, thetransaction of FIG. 6C may involve using a label to look up justcredentials, rather than an endpoint and credentials. The transactionmay be substantive similar to that of FIG. 6C, except that the endpointis determined between steps 650 and 652.

Such an embodiment may take place during discovery. The label may referto remotely accessing, by way of SSH, UNIX® server devices in general,and therefore might not identify a specific endpoint.

VII. Example Operations

FIG. 7 is a flow chart illustrating an example embodiment. The processillustrated by FIG. 7 may be carried out by a computing device, such ascomputing device 100, and/or a cluster of computing devices, such asserver cluster 200. However, the process can be carried out by othertypes of devices or device subsystems. For example, the process could becarried out by a portable computer, such as a laptop or a tablet device.

The embodiments of FIG. 7 may be simplified by the removal of any one ormore of the features shown therein. Further, these embodiments may becombined with features, aspects, and/or implementations of any of theprevious figures or otherwise described herein.

Block 700 may involve receiving, by a server device that stores aplurality of access credentials for computing devices that are disposedwithin a managed network, a request containing a label and an indicationof an application service. The server device may be disposed within aremote network management platform that remotely manages the managednetwork. The request may be received from a requesting device. Theapplication service may be any type of service discussed above, or adifferent type of service used in a managed network.

Block 702 may involve mapping, by the server device, the label and theapplication service to an endpoint identifier of a target computingdevice that is disposed within the managed network. The endpointidentifier may be associated with particular access credentials of theplurality of access credentials, where the particular access credentialsare usable to access the application service executing on the targetcomputing device.

Block 704 may involve transmitting, by the server device and to therequesting device, the endpoint identifier and the particular accesscredentials. Reception of the endpoint identifier and the particularaccess credentials may cause the requesting device to remotely accessthe application service executing on the target computing device. Forexample, the requesting device may log in to the target computing deviceby way of the application service and gather information regarding theconfiguration and/or operational state of the target computing deviceand/or make changes to this configuration and/or operational state.

In some embodiments, the requesting device is a proxy server device thatis disposed within the managed network. In some embodiments, theendpoint identifier is an IP address or URL. In some embodiments, theapplication service is a remote login service. In some embodiments, theserver device stores, in a single database table, some or all accesscredentials that are managed by the remote network management platformon behalf of the managed network. Thus, the server device may be adedicated credential store, or a CMDB that stores credentials.

In some embodiments, reception of the endpoint identifier and/or theparticular access credentials may also cause the requesting device tostore a record associating the label, the application service, and theparticular access credentials.

In some embodiments, the particular access credentials include a useridand password usable to log on to the application service of the targetcomputing device. The password may be stored, in the server device, inan encrypted manner. Transmitting the particular access credentials mayinvolve decrypting the password with an instance key that is notavailable to the requesting device, encrypting the password with asession key that is shared between the server device and the requestingdevice, and transmitting the password as encrypted with the session key.

The server device may be a first server device that is part of a firstcomputing instance that is disposed within the remote network managementplatform. The target computing device may be a first target computingdevice. The plurality of access credentials may be a first plurality ofaccess credentials. The endpoint identifier may be a first endpointidentifier.

The process of FIG. 7 may further include receiving, by a second serverdevice that stores a second plurality of access credentials forcomputing devices that are disposed within the managed network, a secondrequest containing the label and the application service. The secondserver device may be part of a second computing instance that isdisposed within the remote network management platform. Secondparticular access credentials of the second plurality of accesscredentials may be usable to access the application service executing ona second target computing device that is disposed within the managednetwork. The second request may be received from the requesting device;

The process of FIG. 7 may further include mapping, by the second serverdevice, the label and the application service to a second endpointidentifier of the second target computing device. The second endpointidentifier may be associated with the second particular accesscredentials that are usable to access the application service executingon the second target computing device.

The process of FIG. 7 may further include transmitting, by the serverdevice and to the requesting device, the second endpoint identifier andthe second particular access credentials.

VIII. Conclusion

The present disclosure is not to be limited in terms of the particularembodiments described in this application, which are intended asillustrations of various aspects. Many modifications and variations canbe made without departing from its scope, as will be apparent to thoseskilled in the art. Functionally equivalent methods and apparatuseswithin the scope of the disclosure, in addition to those describedherein, will be apparent to those skilled in the art from the foregoingdescriptions. Such modifications and variations are intended to fallwithin the scope of the appended claims.

The above detailed description describes various features and operationsof the disclosed systems, devices, and methods with reference to theaccompanying figures. The example embodiments described herein and inthe figures are not meant to be limiting. Other embodiments can beutilized, and other changes can be made, without departing from thescope of the subject matter presented herein. It will be readilyunderstood that the aspects of the present disclosure, as generallydescribed herein, and illustrated in the figures, can be arranged,substituted, combined, separated, and designed in a wide variety ofdifferent configurations.

With respect to any or all of the message flow diagrams, scenarios, andflow charts in the figures and as discussed herein, each step, block,and/or communication can represent a processing of information and/or atransmission of information in accordance with example embodiments.Alternative embodiments are included within the scope of these exampleembodiments. In these alternative embodiments, for example, operationsdescribed as steps, blocks, transmissions, communications, requests,responses, and/or messages can be executed out of order from that shownor discussed, including substantially concurrently or in reverse order,depending on the functionality involved. Further, more or fewer blocksand/or operations can be used with any of the message flow diagrams,scenarios, and flow charts discussed herein, and these message flowdiagrams, scenarios, and flow charts can be combined with one another,in part or in whole.

A step or block that represents a processing of information cancorrespond to circuitry that can be configured to perform the specificlogical functions of a herein-described method or technique.Alternatively or additionally, a step or block that represents aprocessing of information can correspond to a module, a segment, or aportion of program code (including related data). The program code caninclude one or more instructions executable by a processor forimplementing specific logical operations or actions in the method ortechnique. The program code and/or related data can be stored on anytype of computer readable medium such as a storage device including RAM,a disk drive, a solid state drive, or another storage medium.

The computer readable medium can also include non-transitory computerreadable media such as computer readable media that store data for shortperiods of time like register memory and processor cache. The computerreadable media can further include non-transitory computer readablemedia that store program code and/or data for longer periods of time.Thus, the computer readable media may include secondary or persistentlong term storage, like ROM, optical or magnetic disks, solid statedrives, compact-disc read only memory (CD-ROM), for example. Thecomputer readable media can also be any other volatile or non-volatilestorage systems. A computer readable medium can be considered a computerreadable storage medium, for example, or a tangible storage device.

Moreover, a step or block that represents one or more informationtransmissions can correspond to information transmissions betweensoftware and/or hardware modules in the same physical device. However,other information transmissions can be between software modules and/orhardware modules in different physical devices.

The particular arrangements shown in the figures should not be viewed aslimiting. It should be understood that other embodiments can includemore or less of each element shown in a given figure. Further, some ofthe illustrated elements can be combined or omitted. Yet further, anexample embodiment can include elements that are not illustrated in thefigures.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purpose ofillustration and are not intended to be limiting, with the true scopebeing indicated by the following claims.

1-20. (canceled)
 21. A system comprising: a processor; a memory storinginstructions that, when executed by the processor, cause the processorto perform operations comprising: receiving, from a server, a requestcontaining a label and an indication of an application service, whereinthe label is a character string that identifies an association betweenthe application service and an endpoint identifier, wherein the endpointidentifier identifies a computing device disposed within a managednetwork; storing, in a configuration management database (CMDB), theassociation between the application service and the endpoint identifier;determining that an access credential is required to access theapplication service executing on the computing device; retrieving theaccess credential from the CMDB based on the endpoint identifier; andtransmitting the endpoint identifier and the access credential to theserver, wherein the endpoint identifier is associated with the accesscredential used to access the application service executing on thecomputing device, and wherein reception of the endpoint identifiercauses the server to remotely access the application service executingon the computing device.
 22. The system of claim 21, wherein theendpoint identifier is an IP address or uniform resource locator. 23.The system of claim 21, wherein the CMDB is a single database table thatstores the association between the endpoint identifier, the label, andthe application service.
 24. The system of claim 23, wherein the CMDBstores all access credentials that are managed by a remote networkmanagement platform on behalf of the managed network.
 25. The system ofclaim 21, wherein the application service is a remote login service. 26.The system of claim 21, wherein the access credential is obtained via anorchestration script executed on a proxy server.
 27. The system of claim26, wherein the orchestration script is configured to automatically runon a predetermined time schedule.
 28. A method comprising: receiving,via a processor, a request from a server containing a label and anindication of an application service, wherein the label is a characterstring that identifies an association between the application serviceand an endpoint identifier, wherein the endpoint identifier identifies acomputing device disposed within a managed network; storing, via aprocessor, the association between the application service and theendpoint identifier in a configuration management database (CMDB);determining, via the processor, that an access credential is required toaccess the application service executing on the computing device;retrieving, via the processor, the access credential from the CMDB basedon the endpoint identifier; and transmitting, via the processor, theendpoint identifier and the access credential to the server, wherein theendpoint identifier is associated with the access credential used toaccess the application service executing on the computing device, andwherein reception of the endpoint identifier causes the server toremotely access the application service executing on the computingdevice.
 29. The method of claim 28, wherein the endpoint identifier isan IP address or uniform resource locator.
 30. The method of claim 28,wherein the CMDB is a single database table that stores the associationbetween the endpoint identifier, the label, and the application service.31. The method of claim 30, wherein the CMDB stores all accesscredentials that are managed by a remote network management platform onbehalf of the managed network.
 32. The method of claim 28, wherein theapplication service is a remote login service.
 33. The method of claim28, wherein the access credential is obtained via an orchestrationscript executed on a proxy server.
 34. The method of claim 33,orchestration script is configured to automatically run on apredetermined time schedule.
 35. A non-transitory computer-readablemedium, having stored thereon program instructions that, upon executionby a server that is disposed within a remote network management platformthat remotely manages a managed network, cause the server to performoperations comprising: receiving, from the server, a request containinga label and an indication of an application service, wherein the labelis a character string that identifies an association between theapplication service and an endpoint identifier, wherein the endpointidentifier identifies a computing device disposed within the managednetwork; storing, in a configuration management database (CMDB), theassociation between the application service and the endpoint identifier;determining that an access credential is required to access theapplication service executing on the computing device; retrieving theaccess credential from the CMDB based on the endpoint identifier; andtransmitting the endpoint identifier and access credential to theserver, wherein the endpoint identifier is associated with the accesscredential used to access the application service executing on thecomputing device, and wherein reception of the endpoint identifiercauses the server to remotely access the application service executingon the computing device.
 36. The non-transitory computer-readable mediumof claim 35, wherein the endpoint identifier is an IP address or uniformresource locator.
 37. The non-transitory computer-readable medium ofclaim 35, wherein the CMDB is a single database table that stores theassociation between the endpoint identifier, the label, and theapplication service.
 38. The non-transitory computer-readable medium ofclaim 37, wherein the CMDB stores all access credentials that aremanaged by a remote network management platform on behalf of the managednetwork.
 39. The non-transitory computer-readable medium of claim 35,wherein the application service is a remote login service.
 30. Thenon-transitory computer-readable medium of claim 35, wherein the accesscredential is obtained via an orchestration script executed on a proxyserver.